In the modern world of networked transaction processing, authentication is only way to validate requests for financial services and other demands with any degree of security or data integrity. However, even with the current widespread use of encryption, security codes and personal identification numbers (PINs), existing systems are subject to various types of attacks or hacking. Such security breaches may, for example, be carried out through keyboard hooks and other data-sniffing techniques, magnetic card duplicators, smartcard emulators, and so forth.
At the same, the number of electronic devices applicable to transaction and data processing has grown, including not only dedicated terminals adapted for such uses, but general-purpose computing machinery, personal and digital assistants (PDAs), laptop, palmtop and notebook computers.
Existing authentication devices are deeply connected to computers or other devices such as cable/satellite decoders to validate a particular transaction. As such, these devices represent a single point of attack for hackers who can emulate the authentication device, hook communication between the device and the software stored inside the “computer.” or even record and play communication packets.
To prevent such activities, the industry is working on protocols to enable these devices to operate securely. But protocols have their own weaknesses in the sense that when they are implemented and successfully attacked, patches may become available for widespread use on internet for free.
The efforts have been made to provide system for securing a transaction by using RFID keys, but till today none of the existing system provides means for securing a transaction in a temper proof. If a hacker has access to the server that contains name and credit cards numbers of clients or citizen with social security numbers the damages can be huge. The hacker can take hold of millions of fingerprints or biometric data and once citizen's biometric input is in the hand of the mafia, citizen can never being able to replace his biometric characteristics once the mafia stole his biometric fingerprints representations.
Most of the existing systems have opted to send card holder's biometric characteristics to a remote server which is doing the authentication. In this particular case what would happen to users's biometric data and/or templates, when their biometric data has been stolen? How to repudiate biometric information that is correct but tampered or hacked? Most of current systems are using remote server to authenticate either a buyer and this based on any of his biometric input characteristics or a citizen entering inside his own country or a citizen entering a foreign country. The citizen will have a smart card with his biometric characteristics and when he enters the foreign country he need to enter an appropriate biometric input, the smart card reader will authenticate the person without the need to ‘ship’ the biometric data to a server somewhere in the some part of the world without the guarantee and assurance that if the server is tampered that server will not release the citizen's fingerprint or voice print or iris scan or signature or palm or any of biometric input not being stolen. In fact it is highly likely that the citizen's biometric input could be tampered with what is commonly used either by governments or merchants.
Accordingly, the need remains for system and methods which allows the use of these alternative devices, including portable devices, while, at the same time, provides a level of security, scalability and transparency in conjunction with existing infrastructures which is at least as good, and preferably much higher, than systems currently in use.